Wavlink NU516U1 Firmware Patch Bypass Leading to Command Injection

Key Information Important Reminder: Distinction from CVE-2025-10963 and Patch Bypass Explanation This submission is not a duplicate of the previously disclosed CVE-2025-10963, but rather documents a patch bypass (incomplete fix) found in the vendor’s latest firmware. In the older firmware (V240425) associated with CVE-2025-10963, the parameter was directly concatenated into system commands without any effective sanitization. In the newly tested firmware (V251208), the vendor attempted to fix CVE-2025-10963 by introducing a new filtering function, . However, our reverse engineering revealed a critical logical flaw in this new patch: while the blacklist filter successfully blocks characters such as , , and , it fatally omits the semicolon ( ) — a crucial command separator. This report specifically demonstrates how attackers can exploit this newly introduced, flawed filter to bypass the vendor’s security patch and re-exploit CVE-2025-10963 via semicolon injection. Since the underlying code logic has fundamentally changed (with the addition of a defective sanitization layer) and the exploitation mechanism differs, this constitutes a separate vulnerability related to the incomplete fix. Overview Vendor: Wavlink Product: NU516U1, Version: WAVLINK-NU516U1-A-WO-20251208-BYFM Product Use: USB Print Server Type: Command Injection Vulnerability Description A command injection vulnerability exists in the component of the Wavlink NU516U1 (V251208) router firmware (version M16U1_V251208). The vulnerability resides in the function, which processes the parameter. This parameter is checked by the filtering function , but due to an insufficiently strict implementation of the blacklist mechanism, the critical command separator semicolon ( ) is omitted. This allows an authenticated remote attacker to craft a malicious parameter and use to inject arbitrary shell commands into system calls, thereby gaining full control over the device. Vulnerability Details Affected Component: Affected Functions: (main logic) & (filtering logic) In the function, firewall parameters are retrieved from user input. The value of the firewall parameter is assigned to , and then is called. Main Logic Execution: sub_4016D0 (Triggering the Vulnerability) This function acts as the “executor” and blindly trusts data checked by the aforementioned filtering function. 1. Input Retrieval: Retrieves user input via — the value submitted via the HTTP parameter . 2. Filtering Call: Calls to check the input. If the function returns 1 (illegal character detected), it exits with an error; if it returns 0 (considered safe), execution continues. 3. Dangerous Concatenation: Upon entering the branch, the program directly uses to concatenate the user input into a system command string: . 4. Command Execution: Finally, it calls , which is a wrapper for , passing the concatenated string directly to for execution. Filtering Logic Failure: sub_405B2C (Root Cause) This function serves as the “security checker,” but it fails to include one of the most critical characters in its blacklist: - How it Works: The function receives the user input string and iterates through each character using a loop. It uses to check if the character exists in a predefined “blacklist” string. - Blacklist Content: The blacklist defined in the code is extensive: , covering dangerous characters such as pipes, redirections, variable references, subshells, etc. - Critical Flaw (Root Cause): The blacklist does not include the semicolon ( ), which is a vital command separator.

Goal Reached Thanks to every supporter — we hit 100%!

Wavlink NU516U1 Firmware Patch Bypass Leading to Command Injection

More from this source